Virtualization Technology News and Information
Axio 2018 Predictions: The Cyber Risk Landscape - What We'll See in 2018

VMblog Predictions 2018

Industry executives and experts share their predictions for 2018.  Read them in this 10th annual series exclusive.

Contributed by Scott Kannry, CEO, Axio

The Cyber Risk Landscape - What We'll See in 2018

If 2017 taught us anything, it's not if a cyber event will happen, but when.  Continued cyber attacks across the globe and in virtually every industry make it clear that no organization can expect their safeguards to work as a guarantee. While there is no silver bullet to stop motivated attackers with constantly evolving capabilities, cyber risk can be successfully managed. Not ones to be left out, we've compiled our own list of what we can expect to see on the cyber risk landscape in 2018 and what security leaders need to be thinking about in order to successfully navigate through it.

Out with the old and in with the new

Technology is always evolving, which means we're going to see some technologies finally be rendered ineffective and obsolete in 2018. We will see a shift away from traditional security technologies like antivirus, single-factor authentication, and firewalls.

Most everyone uses some kind of antivirus, so it must be great right? Not so fast. As Scott Underwood, Axio's Director of Business Development, explains, "In 2018 we'll see a further slide of traditional anti-virus and perhaps enough innovation with "next gen" and advanced firewall to see it rendered obsolete. The endpoint fight will start to evolve as organizations move further toward the cloud and the endpoint companies start to become commoditized. Given the number of players in this space, we will see this sooner rather than later."

Dale Gonzalez, Chief Product Officer at Axio, believes that even newer incarnations of AV will quickly become obsolete. "Mobile antivirus, which can do little more than users themselves, is useless. People are realizing now that it's not worth the battery drain, and that app stores and OS vendors should/are providing what protection is available."

In addition, 2017 brought a decline in the password/single-factor authentication, as cyber criminals become more sophisticated and password proved as a kitten. "As the cyber landscape continues to become more complex, we will see more and more services offering two-factor authentication in 2018," says Jason Christopher, Chief Technology Office, Axio.

A post-Equifax world

2017 was the year of the breach (again, like the rebuilt bigger, better, but still vulnerable Death Star 2). The problem is that most security leaders are doing very little to qualify risk now, despite widespread breaches. In a post-Equifax world, we will see a greater appreciation among cyber insurers for very large losses of the type that Equifax is suffering. Additionally, cyber insurers will acknowledge the breach risk of large data aggregators, such as Equifax, and there will be a tightening of the market in terms of coverages.

David White, founder and Chief Operating Officer at Axio, explains, "We are already seeing changes in the industry due to the widespread NotPetya event in June. There is a tightening of non-physical damage cyber coverages that were being made available in commercial property policies for no additional premium." So what does this mean for 2018? "It is rumored that numerous property insurers will experience large losses as a result of overly generous non-physical damage cyber coverages that were made available in their property policies," says White. In other words, coverage will begin to align more closely with risk, so expect premiums to go up as cyberinsurers pay out their first (or their largest) claims.

Control your information and your systems

With the continued success of ransomware, all "info-focused" businesses will be at increased risk in 2018. Gonzalez predicts, travel agencies, drug companies, information gathers like Hoovers, AP, Lexus/Nexus - industries that cannot function without access to the data they have gathered and would likely pay a premium to have it back - will be the juiciest targets. 

2018 will also see a larger impact on not only the energy sector, but any sector with industrial control systems. We've seen a rise in optimization from automating these systems, but also an increased risk in connecting them to the internet. "Many vendors are promising features from the Industrial Internet of Things (IIoT), which will continue to be a target for hackers," says Christopher. "That being said, the electric sector has done a good job embracing the challenges presented by this increased threat. Implementation of the latest security standards (NERC CIPv5), combined with an increased attention to supply chain threats, put electric utilities in a better spot to manage risk than other critical infrastructure sectors."

Authentication is the new perimeter

As a result, according to White, authentication is the new permeter. For most companies, there is no longer a clear perimeter to defend. All organizations are increasingly dependent on the ability to confidently authenticate users prior to allowing them access to organizational assets, wherever those assets may be stored.

I'm a CISO, what do I do?

While there isn't a magic formula for cyber risk, there are several steps security leaders can take to mitigate their risk. First, communication is key. "Organizations need a mechanism for measuring their program improvement and communicating to leadership quarterly in financial terms on how risks are being managed," says Gonzalez.

The second thing enterprises can do is segmentation. White says, "Segmentation, segmentation, segmentation to separate critical operational functions and technologies from the filthy world of email and internet access."

Christopher reminds CISOs to return to the basics. "Manage your assets and access to those assets first and foremost," Christopher says. "You cannot begin to protect your business until you are certain of your visibility across those two elements. From there, identify your crown jewels and ask yourself what you are doing to protect them."

In 2018, security leaders need to embrace that cyber risk "mitigation," is not the only tool in the risk management toolkit. Understanding risks means there is not always an easy or cost-effective solution, so other methods of managing the risk-and communicating it to boards-is required. Like any other business segment, organizations need to plan for the future that extends long after 12 or 24 months. It is ok if those long-term plans change after managing more tactical concerns, but security leaders can't lose sight of that continued improvement cycle that all security programs need.

And of course, because no one last year predicted that one of the Big 3 credit bureaus would be hacked and respond as poorly as they did, we also leave you with some parting words (moonshot bets) from the Axio team:


Jason Christopher, CTO: "More ICS operators will demand visibility into their networks with passive intrusion detection technologies and examine malware trying to leave their environments. In the wake of recent malware discoveries, including CRASHOVERRIDE, the idea of real-time detection in engineering operations will become more prevalent and needed."

David White, founder & COO: "U.S. Congress will pass comprehensive cybersecurity regulation that impacts all US critical infrastructure."

Dale Gonzalez, CPO: "In 2018 we'll see the first virus designed to take advantage of Augmented Reality. ‘When you own the information, you can spin it how you want.'"


About the Author

scott kannry 

Scott M. Kannry is the Chief Executive Officer of Axio. Axio is a cyber risk-engineering firm that helps organizations implement more comprehensive cyber risk management based on an approach that harmonizes cybersecurity technology/controls and cyber risk transfer. For more information, visit 

Published Tuesday, December 19, 2017 7:25 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2017>